Javascript X Xss Protection Header Set

Description

Detects potentially dangerous configurations of the X-XSS-Protection HTTP header in JavaScript code. Improper configuration of this header can expose applications to XSS attacks or browser-specific security bypasses, particularly in older versions of Internet Explorer where the header can be manipulated to enable XSS instead of preventing it.

Weakness:

135 - Insecure or unset HTTP headers - X-XSS Protection

Category: Protocol Manipulation

Detection Strategy

• Look for JavaScript code that sets HTTP response headers

• Check if the code sets the X-XSS-Protection header with insecure values

• Flag cases where the header is set without proper security configurations

• Report when header configurations could potentially weaken browser XSS protections

Vulnerable code example

import { HttpHeaders } from "@angular/common/http";

const headers = new HttpHeaders({
  "Content-Type": "application/json",
  "X-XSS-Protection": "0"  // Vulnerable: Disables XSS protection
});

✅ Secure code example

import { HttpHeaders } from "@angular/common/http";

const headers = new HttpHeaders({
  "Content-Type": "application/json",
  "X-XSS-Protection": "1; mode=block",  // Enable XSS protection with blocking mode
  "X-Content-Type-Options": "nosniff"    // Prevent MIME type sniffing
});

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.